Difference between revisions of "IDP/Grsecurity"
From ESS-WIKI
(Created page with "=Overview= [https://grsecurity.net/ Grsecurity]® is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intell...") |
|||
Line 17: | Line 17: | ||
gradm -S Check the RBAC system's status | gradm -S Check the RBAC system's status | ||
gradm -F -L /tmp/full_learning.log Enable the grsecurity Full Learning mode | gradm -F -L /tmp/full_learning.log Enable the grsecurity Full Learning mode | ||
+ | |||
+ | =Pass the Qualification3.0= | ||
+ | You need copy the grsec's policy | ||
+ | cp /etc/grsec/policy.example /etc/grsec/policy | ||
+ | |||
+ | =Working with PaX= | ||
+ | In this section you will create default PaX flags on an ELF binary file, then disable the stack flag MPROTECT to let grsecurity access memory pages. | ||
+ | |||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | ! PaX Flag !! Argument to Disable !! Argument to Enable | ||
+ | |- | ||
+ | | PAGEEXEC || -p || -P | ||
+ | |- | ||
+ | | EMUTRAMP || -e|| -E | ||
+ | |- | ||
+ | | MPROTECT || -m || -M | ||
+ | |- | ||
+ | | RANDMMAP || -r || -R | ||
+ | |- | ||
+ | | RANDEXEC || -x || -X | ||
+ | |- | ||
+ | | SEGMEXEC || -s || -S | ||
+ | |} |
Latest revision as of 08:18, 7 March 2016
Contents
Overview
Grsecurity® is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. It has been actively developed and maintained for the past 14 years. Commercial support for grsecurity is available through Open Source Security, Inc. Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC)
grsecurity’s RBAC provides full learning mode for generating security policy rules. The default policy is located in the /etc/grsec/policy file.
grsecurity RBAC Command Reference
administration utility gradm manages the RBAC system.
command Description gradm -P [rolename] Setup RBAC administration or special role password gradm -E Enable the grsecurity RBAC system gradm -D Disable the grsecurity RBAC system gradm -C Check the RBAC policy for errors gradm -S Check the RBAC system's status gradm -F -L /tmp/full_learning.log Enable the grsecurity Full Learning mode
Pass the Qualification3.0
You need copy the grsec's policy
cp /etc/grsec/policy.example /etc/grsec/policy
Working with PaX
In this section you will create default PaX flags on an ELF binary file, then disable the stack flag MPROTECT to let grsecurity access memory pages.
PaX Flag | Argument to Disable | Argument to Enable |
---|---|---|
PAGEEXEC | -p | -P |
EMUTRAMP | -e | -E |
MPROTECT | -m | -M |
RANDMMAP | -r | -R |
RANDEXEC | -x | -X |
SEGMEXEC | -s | -S |